From: Water World
By Andrew Ginter
Recent Department of Homeland Security reports have highlighted poor security among the nation’s water utilities, where operations networks and control systems are inadequately protected. The security situation in critical infrastructure is raising ratepayer concerns and prompting utilities to ask hard questions about which actions can truly improve their cybersecurity situations.
Are firewalls – the most common form of security in the market – capable of combatting modern threats? Would water system utilities be better protected if they completely isolated their control-system networks from public networks? Or is there a third option that would retain the efficiencies and cost savings that come from access to real-time operations information, while also protecting plants from cyber attacks? Technology that routinely protects industrial control networks in power plants and other critical infrastructures can help water utilities answer these questions.
Firewalls and Modern Security Threats
Firewalls are a staple of industrial cybersecurity programs, but they have many inherent flaws that water facilities must identify, consider and address. Firewalls are complex software systems because they are difficult to configure, and their configurations are difficult to understand and verify. The smallest error in these configurations can introduce vulnerabilities. Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. In order to prevent exploitation of known defects and vulnerabilities, firewall vendors issue a steady stream of security updates, which must be applied promptly. Even worse, because the firewalls provide not only real-time data but also online access to mission-critical systems and networks, the firewalls fundamentally expose these environments to numerous types of attacks.
For example, phishing attacks send email through a firewall to persuade recipients to either reveal passwords or to download and run malware. Meanwhile, vulnerabilities as simple as hard-coded passwords and hard-coded encryption keys have been reported in industrial firewalls. In addition, cross-site scripting vulnerabilities in HTTP-based “VPN” proxy servers are difficult or impossible to fix because they are essential to the design of the firewall’s features.
 |
| Defects are frequently discovered in firewall software and in the complex operating systems underlying that software, some of which can be exploited as security vulnerabilities. Photo courtesy of Waterfall Security Solutions. |
Even if connections through firewalls are initiated from the control network side, once the connections are established, they permit bi-directional data to flow through the firewalls. Any of those flows can be used to launch attacks back to systems on the protected network. This means that utilities cannot deliver any confidence that their operational assets are adequately protected by firewalls. The level of risk is unacceptably high, and water utilities must compensate for it.
Beyond Firewalls: Unidirectional Gateways for Better Cybersecurity
Firewalls are a difficult and costly technology to manage. To keep firewalled connections even somewhat secure, utilities must implement stringent processes, procedures, testing, reviews, audits, documentation, and other activities. Since continuous access to real-time data is essential to controlling costs and serving customers, water utilities should consider unidirectional gateways.
Leave a Reply